vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-02 17:00:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/tests/result/tunnelbear.pcap.out
Ivan Nardi ca5ffc4988
TLS: improve handling of ALPN(s) (#1784) 
Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is
extracted from the CH, the latter from the SH.

Add some entries to the known ALPN list.

Fix printing of "TLS Supported Versions" field.
2022-10-25 17:06:29 +02:00

55 lines
18 KiB
Text
Raw Blame History

Guessed flow protos: 3
DPI Packets (TCP): 125 (5.95 pkts/flow)
Confidence Match by port : 1 (flows)
Confidence DPI : 20 (flows)
Num dissector calls: 22 (1.05 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/6/0 (insert/search/found)
LRU cache mining: 0/1/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
Automa host: 26/17 (search/found)
Automa domain: 26/0 (search/found)
Automa tls cert: 3/0 (search/found)
Automa risk mask: 3/0 (search/found)
Automa common alpns: 32/32 (search/found)
Patricia risk mask: 42/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 23/19 (search/found)
DNS 5 306 1
TLS 58 22847 3
Messenger 18 5263 1
GoogleServices 15 2661 1
TunnelBear 325 84150 15
JA3 Host Stats:
IP Address # JA3C
1 10.8.0.1 6
2 10.158.132.91 1
1 TCP 10.8.0.1:45104 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][28 pkts/5840 bytes <-> 27 pkts/10868 bytes][Goodput ratio: 74/87][1.54 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.301 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 43/66 265/436 77/110][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 209/403 590/3711 190/888][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][ServerNames: *.polargrizzly.com,polargrizzly.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA][Subject: CN=*.polargrizzly.com][Certificate SHA-1: 1D:D9:82:8B:E8:9A:66:86:18:67:66:52:EE:02:6C:7D:09:12:B4:17][Safari][Validity: 2022-06-15 00:00:00 - 2023-07-15 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,8,4,17,0,0,0,0,4,4,21,0,0,0,0,0,17,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13]
2 TCP 10.8.0.1:33830 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][29 pkts/6388 bytes <-> 30 pkts/7789 bytes][Goodput ratio: 75/79][1.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.099 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 35/57 344/340 83/95][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 220/260 590/2954 209/644][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,22,7,11,3,0,7,0,3,0,11,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7]
3 TCP 10.8.0.1:50178 <-> 104.17.154.236:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][13 pkts/2849 bytes <-> 12 pkts/7134 bytes][Goodput ratio: 75/91][0.68 sec][Hostname/SNI: api.tunnelbear.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/74 393/449 118/137][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 219/594 590/5527 219/1499][TLSv1.2][JA3C: a1c672bda2bda1a05bdca801144b2760][ServerNames: *.tunnelbear.com,tunnelbear.com][JA3S: a885fb01204bc11cc58efc02fe640899][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA][Subject: CN=*.tunnelbear.com][Certificate SHA-1: 52:96:E2:83:CC:15:4E:B3:0F:5B:1D:E2:E8:FF:4E:A9:C4:E9:C0:AF][Safari][Validity: 2022-06-07 00:00:00 - 2023-07-08 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,27,9,0,0,0,0,0,0,0,9,9,0,0,0,0,27,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]
4 TCP 10.8.0.1:50904 <-> 104.17.154.236:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][10 pkts/2689 bytes <-> 10 pkts/6997 bytes][Goodput ratio: 79/92][0.84 sec][Hostname/SNI: api.tunnelbear.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.445 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 105/97 383/336 151/137][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 269/700 590/5527 236/1622][TLSv1.2][JA3C: a1c672bda2bda1a05bdca801144b2760][ServerNames: *.tunnelbear.com,tunnelbear.com][JA3S: a885fb01204bc11cc58efc02fe640899][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA][Subject: CN=*.tunnelbear.com][Certificate SHA-1: 52:96:E2:83:CC:15:4E:B3:0F:5B:1D:E2:E8:FF:4E:A9:C4:E9:C0:AF][Safari][Validity: 2022-06-07 00:00:00 - 2023-07-08 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,11,11,0,0,0,0,0,0,0,11,0,11,0,0,0,33,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11]
5 TCP 10.8.0.1:47594 <-> 99.83.135.170:443 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][cat: Web/5][11 pkts/2035 bytes <-> 13 pkts/7075 bytes][Goodput ratio: 70/90][2.41 sec][Hostname/SNI: capi.grammarly.com][bytes ratio: -0.553 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/225 445/907 178/264][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 185/544 590/4080 163/1089][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: c60d01d600aacc2c04844595ce224279][ServerNames: capi.grammarly.com,capi-msdk.grammarly.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon][Subject: CN=capi.grammarly.com][Certificate SHA-1: 1F:4A:0B:A6:60:01:94:7D:3D:94:03:14:5A:30:AF:64:D5:EC:58:DD][Safari][Validity: 2022-03-22 00:00:00 - 2023-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,8,8,0,0,0,8,8,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,8]
6 TCP 10.8.0.1:48222 <-> 162.247.243.188:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][9 pkts/1985 bytes <-> 8 pkts/4930 bytes][Goodput ratio: 74/91][1.54 sec][Hostname/SNI: mobile-collector.newrelic.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.426 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 212/256 1145/1199 391/431][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 221/616 590/3918 217/1255][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][ServerNames: *.newrelic.com,newrelic.com][JA3S: a885fb01204bc11cc58efc02fe640899][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com][Certificate SHA-1: 90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77][Safari][Validity: 2022-02-07 00:00:00 - 2023-03-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,14,0,0,0,0,0,14,0,14,14,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14]
7 TCP 10.8.0.1:47496 <-> 162.247.243.188:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][9 pkts/1892 bytes <-> 8 pkts/4930 bytes][Goodput ratio: 73/91][0.51 sec][Hostname/SNI: mobile-collector.newrelic.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.445 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/76 290/290 100/104][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 210/616 590/3918 211/1255][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][ServerNames: *.newrelic.com,newrelic.com][JA3S: a885fb01204bc11cc58efc02fe640899][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com][Certificate SHA-1: 90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77][Safari][Validity: 2022-02-07 00:00:00 - 2023-03-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,14,0,0,0,0,14,14,0,0,14,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14]
8 TCP 10.8.0.1:45108 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][10 pkts/1309 bytes <-> 7 pkts/4360 bytes][Goodput ratio: 57/91][0.20 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.538 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/39 135/132 44/50][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131/623 571/3709 151/1265][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][ServerNames: *.polargrizzly.com,polargrizzly.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA][Subject: CN=*.polargrizzly.com][Certificate SHA-1: 1D:D9:82:8B:E8:9A:66:86:18:67:66:52:EE:02:6C:7D:09:12:B4:17][Safari][Validity: 2022-06-15 00:00:00 - 2023-07-15 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,34,0,0,0,0,0,0,0,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16]
9 TCP 10.8.0.1:45114 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][7 pkts/1147 bytes <-> 6 pkts/4309 bytes][Goodput ratio: 65/92][0.25 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.580 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/51 39/61 135/132 53/47][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164/718 571/3712 174/1344][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][ServerNames: *.polargrizzly.com,polargrizzly.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA][Subject: CN=*.polargrizzly.com][Certificate SHA-1: 1D:D9:82:8B:E8:9A:66:86:18:67:66:52:EE:02:6C:7D:09:12:B4:17][Safari][Validity: 2022-06-15 00:00:00 - 2023-07-15 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,20,0,20,0,0,0,0,0,20,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20]
10 TCP 10.8.0.1:45106 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][7 pkts/1147 bytes <-> 6 pkts/4308 bytes][Goodput ratio: 65/92][0.26 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.579 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 40/62 133/131 52/46][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164/718 571/3711 174/1344][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][ServerNames: *.polargrizzly.com,polargrizzly.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA][Subject: CN=*.polargrizzly.com][Certificate SHA-1: 1D:D9:82:8B:E8:9A:66:86:18:67:66:52:EE:02:6C:7D:09:12:B4:17][Safari][Validity: 2022-06-15 00:00:00 - 2023-07-15 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,20,0,20,0,0,0,0,0,20,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20]
11 TCP 10.8.0.1:60224 <-> 157.240.7.32:443 [proto: 91.157/TLS.Messenger][IP: 119/Facebook][Encrypted][Confidence: DPI][cat: Chat/9][9 pkts/1320 bytes <-> 9 pkts/3943 bytes][Goodput ratio: 62/88][0.75 sec][Hostname/SNI: mqtt-mini.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.3 (Fizz)][bytes ratio: -0.498 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 107/92 386/335 131/108][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 147/438 575/2814 167/854][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.3][JA3C: 82932b3c6398511df186dfc9416db2d4][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 25,12,0,0,0,12,0,12,0,0,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
12 TCP 10.8.0.1:45126 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][16 pkts/3179 bytes <-> 16 pkts/2058 bytes][Goodput ratio: 72/58][0.56 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/29 107/57 34/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 199/129 590/803 207/183][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,24,7,0,7,7,0,0,7,0,7,0,0,0,0,0,24,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
13 TCP 10.8.0.1:47046 <-> 74.125.200.188:5228 [proto: 91.239/TLS.GoogleServices][IP: 126/Google][Encrypted][Confidence: DPI][cat: Web/5][8 pkts/1433 bytes <-> 7 pkts/1228 bytes][Goodput ratio: 68/69][0.45 sec][Hostname/SNI: mtalk.google.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 50/79 243/193 88/64][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179/175 587/583 197/182][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.3][JA3C: 58e34c2965c9f3fa4919d58deef1f49e][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Safari][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,16,16,0,0,16,0,0,0,0,0,16,0,0,0,34,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
14 TCP 10.8.0.1:33846 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][10 pkts/1298 bytes <-> 9 pkts/642 bytes][Goodput ratio: 57/24][0.37 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.338 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/58 339/331 111/122][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 130/71 571/210 150/49][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 16,34,16,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
15 TCP 10.8.0.1:45124 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][9 pkts/1244 bytes <-> 8 pkts/588 bytes][Goodput ratio: 59/26][0.42 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.358 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 53/90 192/193 68/71][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 138/74 571/210 162/52][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,0,0,25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
16 TCP 10.158.132.91:38398 -> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][5 pkts/1821 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][0.46 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
17 TCP 10.8.0.1:33838 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/84 359/350 129/135][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
18 TCP 10.8.0.1:33842 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/2 74/85 340/331 122/125][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 TCP 10.8.0.1:33848 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.43 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/80 338/330 121/127][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
20 TCP 10.8.0.1:33858 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][cat: VPN/2][3 pkts/699 bytes <-> 2 pkts/108 bytes][Goodput ratio: 74/0][0.01 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 TCP 10.158.132.91:51120 <-> 8.8.8.8:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: Match by port][cat: Network/14][3 pkts/198 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][0.00 sec][::][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Reference in a new issue View git blame Copy permalink